1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Miscellaneous string-handling functions. Some are not required for
10 utilities and tests, and are cut out by the COMPILE_UTILITY macro. */
17 #ifndef COMPILE_UTILITY
18 /*************************************************
19 * Test for IP address *
20 *************************************************/
22 /* This used just to be a regular expression, but with IPv6 things are a bit
23 more complicated. If the address contains a colon, it is assumed to be a v6
24 address (assuming HAVE_IPV6 is set). If a mask is permitted and one is present,
25 and maskptr is not NULL, its offset is placed there.
29 maskptr NULL if no mask is permitted to follow
30 otherwise, points to an int where the offset of '/' is placed
31 if there is no / followed by trailing digits, *maskptr is set 0
32 errp NULL if no diagnostic information is required, and if the netmask
33 length should not be checked. Otherwise it is set pointing to a short
36 Returns: 0 if the string is not a textual representation of an IP address
37 4 if it is an IPv4 address
38 6 if it is an IPv6 address
40 The legacy string_is_ip_address() function follows below.
43 string_is_ip_addressX(const uschar *ip_addr, int *maskptr, const uschar **errp) {
44 struct addrinfo hints;
47 uschar *slash, *percent;
51 const uschar *addr = 0;
53 /* If there is a slash, but we didn't request a (optional) netmask,
54 we return failure, as we do if the mask isn't a pure numerical value,
55 or if it is negative. The actual length is checked later, once we know
56 the address family. */
57 if (slash = Ustrchr(ip_addr, '/'))
61 if (errp) *errp = "netmask found, but not requested";
66 mask = Ustrtol(slash+1, &rest, 10);
67 if (*rest || mask < 0)
69 if (errp) *errp = "netmask not numeric or <0";
73 *maskptr = slash - ip_addr; /* offset of the slash */
75 } else if (maskptr) *maskptr = 0; /* no slash found */
77 /* The interface-ID suffix (%<id>) is optional (for IPv6). If it
78 exists, we check it syntactically. Later, if we know the address
79 family is IPv4, we might reject it.
80 The interface-ID is mutually exclusive with the netmask, to the
81 best of my knowledge. */
82 if (percent = Ustrchr(ip_addr, '%'))
86 if (errp) *errp = "interface-ID and netmask are mutually exclusive";
89 for (uschar *p = percent+1; *p; p++)
90 if (!isalnum(*p) && !ispunct(*p))
92 if (errp) *errp = "interface-ID must match [[:alnum:][:punct:]]";
98 /* inet_pton() can't parse netmasks and interface IDs, so work on a shortened copy
99 allocated on the current stack */
101 ptrdiff_t l = endp - ip_addr;
104 if (errp) *errp = "rudiculous long ip address string";
107 addr = alloca(l+1); /* *BSD does not have strndupa() */
108 Ustrncpy((uschar *)addr, ip_addr, l);
109 ((uschar*)addr)[l] = '\0';
110 } else addr = ip_addr;
113 union { /* we do not need this, but inet_pton() needs a place for storage */
118 af = Ustrchr(addr, ':') ? AF_INET6 : AF_INET;
119 if (!inet_pton(af, addr, &sa))
121 if (errp) *errp = af == AF_INET6 ? "IP address string not parsable as IPv6"
122 : "IP address string not parsable IPv4";
125 /* we do not check the values of the mask here, as
126 this is done on the callers side (but I don't understand why), so
127 actually I'd like to do it here, but it breaks at least 0002 */
131 if (errp && mask > 128)
133 *errp = "IPv6 netmask value must not be >128";
140 if (errp) *errp = "IPv4 address string must not have an interface-ID";
143 if (errp && mask > 32) {
144 *errp = "IPv4 netmask value must not be >32";
149 if (errp) *errp = "unknown address family (should not happen)";
155 string_is_ip_address(const uschar *ip_addr, int *maskptr) {
156 return string_is_ip_addressX(ip_addr, maskptr, 0);
159 #endif /* COMPILE_UTILITY */
162 /*************************************************
163 * Format message size *
164 *************************************************/
166 /* Convert a message size in bytes to printing form, rounding
167 according to the magnitude of the number. A value of zero causes
168 a string of spaces to be returned.
171 size the message size in bytes
172 buffer where to put the answer
174 Returns: pointer to the buffer
175 a string of exactly 5 characters is normally returned
179 string_format_size(int size, uschar *buffer)
181 if (size == 0) Ustrcpy(buffer, US" ");
182 else if (size < 1024) sprintf(CS buffer, "%5d", size);
183 else if (size < 10*1024)
184 sprintf(CS buffer, "%4.1fK", (double)size / 1024.0);
185 else if (size < 1024*1024)
186 sprintf(CS buffer, "%4dK", (size + 512)/1024);
187 else if (size < 10*1024*1024)
188 sprintf(CS buffer, "%4.1fM", (double)size / (1024.0 * 1024.0));
190 sprintf(CS buffer, "%4dM", (size + 512 * 1024)/(1024*1024));
196 #ifndef COMPILE_UTILITY
197 /*************************************************
198 * Convert a number to base 62 format *
199 *************************************************/
201 /* Convert a long integer into an ASCII base 62 string. For Cygwin the value of
202 BASE_62 is actually 36. Always return exactly 6 characters plus zero, in a
205 Argument: a long integer
206 Returns: pointer to base 62 string
210 string_base62(unsigned long int value)
212 static uschar yield[7];
213 uschar *p = yield + sizeof(yield) - 1;
217 *(--p) = base62_chars[value % BASE_62];
222 #endif /* COMPILE_UTILITY */
226 /*************************************************
227 * Interpret escape sequence *
228 *************************************************/
230 /* This function is called from several places where escape sequences are to be
231 interpreted in strings.
234 pp points a pointer to the initiating "\" in the string;
235 the pointer gets updated to point to the final character
236 If the backslash is the last character in the string, it
238 Returns: the value of the character escape
242 string_interpret_escape(const uschar **pp)
244 #ifdef COMPILE_UTILITY
245 const uschar *hex_digits= CUS"0123456789abcdef";
248 const uschar *p = *pp;
250 if (ch == '\0') return **pp;
251 if (isdigit(ch) && ch != '8' && ch != '9')
254 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
256 ch = ch * 8 + *(++p) - '0';
257 if (isdigit(p[1]) && p[1] != '8' && p[1] != '9')
258 ch = ch * 8 + *(++p) - '0';
263 case 'b': ch = '\b'; break;
264 case 'f': ch = '\f'; break;
265 case 'n': ch = '\n'; break;
266 case 'r': ch = '\r'; break;
267 case 't': ch = '\t'; break;
268 case 'v': ch = '\v'; break;
274 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
275 if (isxdigit(p[1])) ch = ch * 16 +
276 Ustrchr(hex_digits, tolower(*(++p))) - hex_digits;
286 #ifndef COMPILE_UTILITY
287 /*************************************************
288 * Ensure string is printable *
289 *************************************************/
291 /* This function is called for critical strings. It checks for any
292 non-printing characters, and if any are found, it makes a new copy
293 of the string with suitable escape sequences. It is most often called by the
294 macro string_printing(), which sets flags to 0.
298 flags Bit 0: convert tabs. Bit 1: convert spaces.
300 Returns: string with non-printers encoded as printing sequences
304 string_printing2(const uschar *s, int flags)
306 int nonprintcount = 0;
315 || flags & SP_TAB && c == '\t'
316 || flags & SP_SPACE && c == ' '
321 if (nonprintcount == 0) return s;
323 /* Get a new block of store guaranteed big enough to hold the
326 tt = ss = store_get(length + nonprintcount * 3 + 1, s);
328 /* Copy everything, escaping non printers. */
334 && (!(flags & SP_TAB) || c != '\t')
335 && (!(flags & SP_SPACE) || c != ' ')
343 case '\n': *tt++ = 'n'; break;
344 case '\r': *tt++ = 'r'; break;
345 case '\b': *tt++ = 'b'; break;
346 case '\v': *tt++ = 'v'; break;
347 case '\f': *tt++ = 'f'; break;
348 case '\t': *tt++ = 't'; break;
349 default: sprintf(CS tt, "%03o", *t); tt += 3; break;
357 #endif /* COMPILE_UTILITY */
359 /*************************************************
360 * Undo printing escapes in string *
361 *************************************************/
363 /* This function is the reverse of string_printing2. It searches for
364 backslash characters and if any are found, it makes a new copy of the
365 string with escape sequences parsed. Otherwise it returns the original
371 Returns: string with printing escapes parsed back
375 string_unprinting(uschar *s)
377 uschar *p, *q, *r, *ss;
380 p = Ustrchr(s, '\\');
383 len = Ustrlen(s) + 1;
384 ss = store_get(len, s);
398 *q++ = string_interpret_escape((const uschar **)&p);
403 r = Ustrchr(p, '\\');
429 #if (defined(HAVE_LOCAL_SCAN) || defined(EXPAND_DLFUNC)) \
430 && !defined(MACRO_PREDEF) && !defined(COMPILE_UTILITY)
431 /*************************************************
432 * Copy and save string *
433 *************************************************/
436 Argument: string to copy
437 Returns: copy of string in new store with the same taint status
441 string_copy_function(const uschar * s)
443 return string_copy_taint(s, s);
446 /* As above, but explicitly specifying the result taint status
450 string_copy_taint_function(const uschar * s, const void * proto_mem)
452 return string_copy_taint(s, proto_mem);
457 /*************************************************
458 * Copy and save string, given length *
459 *************************************************/
461 /* It is assumed the data contains no zeros. A zero is added
466 n number of characters
468 Returns: copy of string in new store
472 string_copyn_function(const uschar * s, int n)
474 return string_copyn(s, n);
479 /*************************************************
480 * Copy and save string in malloc'd store *
481 *************************************************/
483 /* This function assumes that memcpy() is faster than strcpy().
485 Argument: string to copy
486 Returns: copy of string in new store
490 string_copy_malloc(const uschar * s)
492 int len = Ustrlen(s) + 1;
493 uschar * ss = store_malloc(len);
500 /*************************************************
501 * Copy string if long, inserting newlines *
502 *************************************************/
504 /* If the given string is longer than 75 characters, it is copied, and within
505 the copy, certain space characters are converted into newlines.
507 Argument: pointer to the string
508 Returns: pointer to the possibly altered string
512 string_split_message(uschar * msg)
516 if (!msg || Ustrlen(msg) <= 75) return msg;
517 s = ss = msg = string_copy(msg);
522 while (i < 75 && *ss && *ss != '\n') ss++, i++;
534 if (t[-1] == ':') { tt = t; break; }
539 if (!tt) /* Can't split behind - try ahead */
544 if (*t == ' ' || *t == '\n')
550 if (!tt) break; /* Can't find anywhere to split */
561 /*************************************************
562 * Copy returned DNS domain name, de-escaping *
563 *************************************************/
565 /* If a domain name contains top-bit characters, some resolvers return
566 the fully qualified name with those characters turned into escapes. The
567 convention is a backslash followed by _decimal_ digits. We convert these
568 back into the original binary values. This will be relevant when
569 allow_utf8_domains is set true and UTF-8 characters are used in domain
570 names. Backslash can also be used to escape other characters, though we
571 shouldn't come across them in domain names.
573 Argument: the domain name string
574 Returns: copy of string in new store, de-escaped
578 string_copy_dnsdomain(uschar * s)
581 uschar * ss = yield = store_get(Ustrlen(s) + 1, GET_TAINTED); /* always treat as tainted */
587 else if (isdigit(s[1]))
589 *ss++ = (s[1] - '0')*100 + (s[2] - '0')*10 + s[3] - '0';
601 #ifndef COMPILE_UTILITY
602 /*************************************************
603 * Copy space-terminated or quoted string *
604 *************************************************/
606 /* This function copies from a string until its end, or until whitespace is
607 encountered, unless the string begins with a double quote, in which case the
608 terminating quote is sought, and escaping within the string is done. The length
609 of a de-quoted string can be no longer than the original, since escaping always
610 turns n characters into 1 character.
612 Argument: pointer to the pointer to the first character, which gets updated
613 Returns: the new string
617 string_dequote(const uschar ** sptr)
619 const uschar * s = * sptr;
622 /* First find the end of the string */
625 while (*s && !isspace(*s)) s++;
629 while (*s && *s != '\"')
631 if (*s == '\\') (void)string_interpret_escape(&s);
637 /* Get enough store to copy into */
639 t = yield = store_get(s - *sptr + 1, *sptr);
645 while (*s && !isspace(*s)) *t++ = *s++;
649 while (*s && *s != '\"')
651 *t++ = *s == '\\' ? string_interpret_escape(&s) : *s;
657 /* Update the pointer and return the terminated copy */
663 #endif /* COMPILE_UTILITY */
667 /*************************************************
668 * Format a string and save it *
669 *************************************************/
671 /* The formatting is done by string_vformat, which checks the length of
672 everything. Taint is taken from the worst of the arguments.
675 format a printf() format - deliberately char * rather than uschar *
676 because it will most usually be a literal string
677 func caller, for debug
678 line caller, for debug
679 ... arguments for format
681 Returns: pointer to fresh piece of store containing sprintf'ed string
685 string_sprintf_trc(const char * format, const uschar * func, unsigned line, ...)
687 #ifdef COMPILE_UTILITY
688 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
689 gstring gs = { .size = STRING_SPRINTF_BUFFER_SIZE, .ptr = 0, .s = buffer };
694 unsigned flags = SVFMT_REBUFFER|SVFMT_EXTEND;
699 g = string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
704 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
705 "string_sprintf expansion was longer than %d; format string was (%s)\n"
706 " called from %s %d\n",
707 STRING_SPRINTF_BUFFER_SIZE, format, func, line);
709 #ifdef COMPILE_UTILITY
710 return string_copyn(g->s, g->ptr);
712 gstring_release_unused(g);
713 return string_from_gstring(g);
719 /*************************************************
720 * Case-independent strncmp() function *
721 *************************************************/
727 n number of characters to compare
729 Returns: < 0, = 0, or > 0, according to the comparison
733 strncmpic(const uschar * s, const uschar * t, int n)
737 int c = tolower(*s++) - tolower(*t++);
744 /*************************************************
745 * Case-independent strcmp() function *
746 *************************************************/
753 Returns: < 0, = 0, or > 0, according to the comparison
757 strcmpic(const uschar * s, const uschar * t)
761 int c = tolower(*s++) - tolower(*t++);
762 if (c != 0) return c;
768 /*************************************************
769 * Case-independent strstr() function *
770 *************************************************/
772 /* The third argument specifies whether whitespace is required
773 to follow the matched string.
777 t substring to search for
778 space_follows if TRUE, match only if whitespace follows
780 Returns: pointer to substring in string, or NULL if not found
784 strstric_c(const uschar * s, const uschar * t, BOOL space_follows)
786 const uschar * p = t;
787 const uschar * yield = NULL;
788 int cl = tolower(*p);
789 int cu = toupper(*p);
793 if (*s == cl || *s == cu)
795 if (!yield) yield = s;
798 if (!space_follows || s[1] == ' ' || s[1] == '\n' ) return yield;
819 strstric(uschar * s, uschar * t, BOOL space_follows)
821 return US strstric_c(s, t, space_follows);
825 #ifdef COMPILE_UTILITY
826 /* Dummy version for this function; it should never be called */
828 gstring_grow(gstring * g, int count)
836 #ifndef COMPILE_UTILITY
837 /*************************************************
838 * Get next string from separated list *
839 *************************************************/
841 /* Leading and trailing space is removed from each item. The separator in the
842 list is controlled by the int pointed to by the separator argument as follows:
844 If the value is > 0 it is used as the separator. This is typically used for
845 sublists such as slash-separated options. The value is always a printing
848 (If the value is actually > UCHAR_MAX there is only one item in the list.
849 This is used for some cases when called via functions that sometimes
850 plough through lists, and sometimes are given single items.)
852 If the value is <= 0, the string is inspected for a leading <x, where x is an
853 ispunct() or an iscntrl() character. If found, x is used as the separator. If
856 (a) if separator == 0, ':' is used
857 (b) if separator <0, -separator is used
859 In all cases the value of the separator that is used is written back to the
860 int so that it is used on subsequent calls as we progress through the list.
862 A literal ispunct() separator can be represented in an item by doubling, but
863 there is no way to include an iscntrl() separator as part of the data.
866 listptr points to a pointer to the current start of the list; the
867 pointer gets updated to point after the end of the next item
868 separator a pointer to the separator character in an int (see above)
869 buffer where to put a copy of the next string in the list; or
870 NULL if the next string is returned in new memory
871 Note that if the list is tainted then a provided buffer must be
872 also (else we trap, with a message referencing the callsite).
873 If we do the allocation, taint is handled there.
874 buflen when buffer is not NULL, the size of buffer; otherwise ignored
876 func caller, for debug
877 line caller, for debug
879 Returns: pointer to buffer, containing the next substring,
880 or NULL if no more substrings
884 string_nextinlist_trc(const uschar ** listptr, int * separator, uschar * buffer,
885 int buflen, const uschar * func, int line)
887 int sep = *separator;
888 const uschar * s = *listptr;
893 /* This allows for a fixed specified separator to be an iscntrl() character,
894 but at the time of implementation, this is never the case. However, it's best
895 to be conservative. */
897 while (isspace(*s) && *s != sep) s++;
899 /* A change of separator is permitted, so look for a leading '<' followed by an
900 allowed character. */
904 if (*s == '<' && (ispunct(s[1]) || iscntrl(s[1])))
908 while (isspace(*s) && *s != sep) s++;
911 sep = sep ? -sep : ':';
915 /* An empty string has no list elements */
917 if (!*s) return NULL;
919 /* Note whether whether or not the separator is an iscntrl() character. */
921 sep_is_special = iscntrl(sep);
923 /* Handle the case when a buffer is provided. */
924 /*XXX need to also deal with qouted-requirements mismatch */
929 if (is_tainted(s) && !is_tainted(buffer))
930 die_tainted(US"string_nextinlist", func, line);
933 if (*s == sep && (*(++s) != sep || sep_is_special)) break;
934 if (p < buflen - 1) buffer[p++] = *s;
936 while (p > 0 && isspace(buffer[p-1])) p--;
940 /* Handle the case when a buffer is not provided. */
946 /* We know that *s != 0 at this point. However, it might be pointing to a
947 separator, which could indicate an empty string, or (if an ispunct()
948 character) could be doubled to indicate a separator character as data at the
949 start of a string. Avoid getting working memory for an empty item. */
952 if (*++s != sep || sep_is_special)
955 return string_copy(US"");
958 /* Not an empty string; the first character is guaranteed to be a data
964 for (ss = s + 1; *ss && *ss != sep; ) ss++;
965 g = string_catn(g, s, ss-s);
967 if (!*s || *++s != sep || sep_is_special) break;
970 /* Trim trailing spaces from the returned string */
972 /* while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--; */
973 while ( g->ptr > 0 && isspace(g->s[g->ptr-1])
974 && (g->ptr == 1 || g->s[g->ptr-2] != '\\') )
976 buffer = string_from_gstring(g);
977 gstring_release_unused_trc(g, CCS func, line);
980 /* Update the current pointer and return the new string */
987 static const uschar *
988 Ustrnchr(const uschar * s, int c, unsigned * len)
993 if (!*s) return NULL;
1006 /************************************************
1007 * Add element to separated list *
1008 ************************************************/
1009 /* This function is used to build a list, returning an allocated null-terminated
1010 growable string. The given element has any embedded separator characters
1013 Despite having the same growable-string interface as string_cat() the list is
1014 always returned null-terminated.
1017 list expanding-string for the list that is being built, or NULL
1018 if this is a new list that has no contents yet
1019 sep list separator character
1020 ele new element to be appended to the list
1022 Returns: pointer to the start of the list, changed if copied for expansion.
1026 string_append_listele(gstring * list, uschar sep, const uschar * ele)
1030 if (list && list->ptr)
1031 list = string_catn(list, &sep, 1);
1033 while((sp = Ustrchr(ele, sep)))
1035 list = string_catn(list, ele, sp-ele+1);
1036 list = string_catn(list, &sep, 1);
1039 list = string_cat(list, ele);
1040 (void) string_from_gstring(list);
1046 string_append_listele_n(gstring * list, uschar sep, const uschar * ele,
1051 if (list && list->ptr)
1052 list = string_catn(list, &sep, 1);
1054 while((sp = Ustrnchr(ele, sep, &len)))
1056 list = string_catn(list, ele, sp-ele+1);
1057 list = string_catn(list, &sep, 1);
1061 list = string_catn(list, ele, len);
1062 (void) string_from_gstring(list);
1068 /* A slightly-bogus listmaker utility; the separator is a string so
1069 can be multiple chars - there is no checking for the element content
1070 containing any of the separator. */
1073 string_append2_listele_n(gstring * list, const uschar * sepstr,
1074 const uschar * ele, unsigned len)
1076 if (list && list->ptr)
1077 list = string_cat(list, sepstr);
1079 list = string_catn(list, ele, len);
1080 (void) string_from_gstring(list);
1086 /************************************************/
1087 /* Add more space to a growable-string. The caller should check
1088 first if growth is required. The gstring struct is modified on
1089 return; specifically, the string-base-pointer may have been changed.
1092 g the growable-string
1093 count amount needed for g->ptr to increase by
1097 gstring_grow(gstring * g, int count)
1100 int oldsize = g->size;
1102 /* Mostly, string_cat() is used to build small strings of a few hundred
1103 characters at most. There are times, however, when the strings are very much
1104 longer (for example, a lookup that returns a vast number of alias addresses).
1105 To try to keep things reasonable, we use increments whose size depends on the
1106 existing length of the string. */
1108 unsigned inc = oldsize < 4096 ? 127 : 1023;
1110 if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2)
1111 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1112 "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size);
1114 if (count <= 0) return;
1116 if (count >= INT_MAX/2 - g->ptr)
1117 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1118 "internal error in gstring_grow (ptr %d count %d)", g->ptr, count);
1120 g->size = (p + count + inc + 1) & ~inc; /* one for a NUL */
1122 /* Try to extend an existing allocation. If the result of calling
1123 store_extend() is false, either there isn't room in the current memory block,
1124 or this string is not the top item on the dynamic store stack. We then have
1125 to get a new chunk of store and copy the old string. When building large
1126 strings, it is helpful to call store_release() on the old string, to release
1127 memory blocks that have become empty. (The block will be freed if the string
1128 is at its start.) However, we can do this only if we know that the old string
1129 was the last item on the dynamic memory stack. This is the case if it matches
1132 if (!store_extend(g->s, oldsize, g->size))
1133 g->s = store_newblock(g->s, g->size, p);
1138 /*************************************************
1139 * Add chars to string *
1140 *************************************************/
1141 /* This function is used when building up strings of unknown length. Room is
1142 always left for a terminating zero to be added to the string that is being
1143 built. This function does not require the string that is being added to be NUL
1144 terminated, because the number of characters to add is given explicitly. It is
1145 sometimes called to extract parts of other strings.
1148 g growable-string that is being built, or NULL if not assigned yet
1149 s points to characters to add
1150 count count of characters to add; must not exceed the length of s, if s
1153 Returns: growable string, changed if copied for expansion.
1154 Note that a NUL is not added, though space is left for one. This is
1155 because string_cat() is often called multiple times to build up a
1156 string - there's no point adding the NUL till the end.
1157 NULL is a possible return.
1160 /* coverity[+alloc] */
1163 string_catn(gstring * g, const uschar * s, int count)
1168 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1169 "internal error in string_catn (count %d)", count);
1170 if (count == 0) return g;
1172 /*debug_printf("string_catn '%.*s'\n", count, s);*/
1175 unsigned inc = count < 4096 ? 127 : 1023;
1176 unsigned size = ((count + inc) & ~inc) + 1; /* round up requested count */
1177 g = string_get_tainted(size, s);
1179 else if (!g->s) /* should not happen */
1181 g->s = string_copyn(s, count);
1183 g->size = count; /*XXX suboptimal*/
1186 else if (is_incompatible(g->s, s))
1188 /* debug_printf("rebuf A\n"); */
1189 gstring_rebuffer(g, s);
1192 if (g->ptr < 0 || g->ptr > g->size)
1193 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1194 "internal error in string_catn (ptr %d size %d)", g->ptr, g->size);
1197 if (count >= g->size - p)
1198 gstring_grow(g, count);
1200 /* Because we always specify the exact number of characters to copy, we can
1201 use memcpy(), which is likely to be more efficient than strncopy() because the
1202 latter has to check for zero bytes. */
1204 memcpy(g->s + p, s, count);
1211 string_cat(gstring * g, const uschar * s)
1213 return string_catn(g, s, Ustrlen(s));
1218 /*************************************************
1219 * Append strings to another string *
1220 *************************************************/
1222 /* This function can be used to build a string from many other strings.
1223 It calls string_cat() to do the dirty work.
1226 g growable-string that is being built, or NULL if not yet assigned
1227 count the number of strings to append
1228 ... "count" uschar* arguments, which must be valid zero-terminated
1231 Returns: growable string, changed if copied for expansion.
1232 The string is not zero-terminated - see string_cat() above.
1235 __inline__ gstring *
1236 string_append(gstring * g, int count, ...)
1240 va_start(ap, count);
1243 uschar * t = va_arg(ap, uschar *);
1244 g = string_cat(g, t);
1254 /*************************************************
1255 * Format a string with length checks *
1256 *************************************************/
1258 /* This function is used to format a string with checking of the length of the
1259 output for all conversions. It protects Exim from absent-mindedness when
1260 calling functions like debug_printf and string_sprintf, and elsewhere. There
1261 are two different entry points to what is actually the same function, depending
1262 on whether the variable length list of data arguments are given explicitly or
1265 The formats are the usual printf() ones, with some omissions (never used) and
1266 three additions for strings: %S forces lower case, %T forces upper case, and
1267 %#s or %#S prints nothing for a NULL string. Without the # "NULL" is printed
1268 (useful in debugging). There is also the addition of %D and %M, which insert
1269 the date in the form used for datestamped log files.
1272 buffer a buffer in which to put the formatted string
1273 buflen the length of the buffer
1274 format the format string - deliberately char * and not uschar *
1275 ... or ap variable list of supplementary arguments
1277 Returns: TRUE if the result fitted in the buffer
1281 string_format_trc(uschar * buffer, int buflen,
1282 const uschar * func, unsigned line, const char * format, ...)
1284 gstring g = { .size = buflen, .ptr = 0, .s = buffer }, * gp;
1286 va_start(ap, format);
1287 gp = string_vformat_trc(&g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1297 /* Build or append to a growing-string, sprintf-style.
1301 func called-from function name, for debug
1302 line called-from file line number, for debug
1303 limit maximum string size
1305 format printf-like format string
1306 ap variable-args pointer
1309 SVFMT_EXTEND buffer can be created or exteded as needed
1310 SVFMT_REBUFFER buffer can be recopied to tainted mem as needed
1311 SVFMT_TAINT_NOCHK do not check inputs for taint
1313 If the "extend" flag is true, the string passed in can be NULL,
1314 empty, or non-empty. Growing is subject to an overall limit given
1315 by the limit argument.
1317 If the "extend" flag is false, the string passed in may not be NULL,
1318 will not be grown, and is usable in the original place after return.
1319 The return value can be NULL to signify overflow.
1321 Returns the possibly-new (if copy for growth or taint-handling was needed)
1322 string, not nul-terminated.
1326 string_vformat_trc(gstring * g, const uschar * func, unsigned line,
1327 unsigned size_limit, unsigned flags, const char * format, va_list ap)
1329 enum ltypes { L_NORMAL=1, L_SHORT=2, L_LONG=3, L_LONGLONG=4, L_LONGDOUBLE=5, L_SIZE=6 };
1331 int width, precision, off, lim, need;
1332 const char * fp = format; /* Deliberately not unsigned */
1334 string_datestamp_offset = -1; /* Datestamp not inserted */
1335 string_datestamp_length = 0; /* Datestamp not inserted */
1336 string_datestamp_type = 0; /* Datestamp not inserted */
1338 #ifdef COMPILE_UTILITY
1339 assert(!(flags & SVFMT_EXTEND));
1343 /* Ensure we have a string, to save on checking later */
1344 if (!g) g = string_get(16);
1346 if (!(flags & SVFMT_TAINT_NOCHK) && is_incompatible(g->s, format))
1348 #ifndef MACRO_PREDEF
1349 if (!(flags & SVFMT_REBUFFER))
1350 die_tainted(US"string_vformat", func, line);
1352 /* debug_printf("rebuf B\n"); */
1353 gstring_rebuffer(g, format);
1355 #endif /*!COMPILE_UTILITY*/
1357 lim = g->size - 1; /* leave one for a nul */
1358 off = g->ptr; /* remember initial offset in gstring */
1360 /* Scan the format and handle the insertions */
1364 int length = L_NORMAL;
1367 const char *null = "NULL"; /* ) These variables */
1368 const char *item_start, *s; /* ) are deliberately */
1369 char newformat[16]; /* ) not unsigned */
1370 char * gp = CS g->s + g->ptr; /* ) */
1372 /* Non-% characters just get copied verbatim */
1376 /* Avoid string_copyn() due to COMPILE_UTILITY */
1377 if ((need = g->ptr + 1) > lim)
1379 if (!(flags & SVFMT_EXTEND) || need > size_limit) return NULL;
1383 g->s[g->ptr++] = (uschar) *fp++;
1387 /* Deal with % characters. Pick off the width and precision, for checking
1388 strings, skipping over the flag and modifier characters. */
1391 width = precision = -1;
1393 if (strchr("-+ #0", *(++fp)) != NULL)
1395 if (*fp == '#') null = "";
1399 if (isdigit((uschar)*fp))
1401 width = *fp++ - '0';
1402 while (isdigit((uschar)*fp)) width = width * 10 + *fp++ - '0';
1404 else if (*fp == '*')
1406 width = va_arg(ap, int);
1413 precision = va_arg(ap, int);
1417 for (precision = 0; isdigit((uschar)*fp); fp++)
1418 precision = precision*10 + *fp - '0';
1420 /* Skip over 'h', 'L', 'l', 'll' and 'z', remembering the item length */
1423 { fp++; length = L_SHORT; }
1424 else if (*fp == 'L')
1425 { fp++; length = L_LONGDOUBLE; }
1426 else if (*fp == 'l')
1428 { fp += 2; length = L_LONGLONG; }
1430 { fp++; length = L_LONG; }
1431 else if (*fp == 'z')
1432 { fp++; length = L_SIZE; }
1434 /* Handle each specific format type. */
1439 nptr = va_arg(ap, int *);
1440 *nptr = g->ptr - off;
1448 width = length > L_LONG ? 24 : 12;
1449 if ((need = g->ptr + width) > lim)
1451 if (!(flags & SVFMT_EXTEND) || need >= size_limit) return NULL;
1452 gstring_grow(g, width);
1454 gp = CS g->s + g->ptr;
1456 strncpy(newformat, item_start, fp - item_start);
1457 newformat[fp - item_start] = 0;
1459 /* Short int is promoted to int when passing through ..., so we must use
1460 int for va_arg(). */
1466 g->ptr += sprintf(gp, newformat, va_arg(ap, int)); break;
1468 g->ptr += sprintf(gp, newformat, va_arg(ap, long int)); break;
1470 g->ptr += sprintf(gp, newformat, va_arg(ap, LONGLONG_T)); break;
1472 g->ptr += sprintf(gp, newformat, va_arg(ap, size_t)); break;
1479 if ((need = g->ptr + 24) > lim)
1481 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1482 gstring_grow(g, 24);
1484 gp = CS g->s + g->ptr;
1486 /* sprintf() saying "(nil)" for a null pointer seems unreliable.
1487 Handle it explicitly. */
1488 if ((ptr = va_arg(ap, void *)))
1490 strncpy(newformat, item_start, fp - item_start);
1491 newformat[fp - item_start] = 0;
1492 g->ptr += sprintf(gp, newformat, ptr);
1495 g->ptr += sprintf(gp, "(nil)");
1499 /* %f format is inherently insecure if the numbers that it may be
1500 handed are unknown (e.g. 1e300). However, in Exim, %f is used for
1501 printing load averages, and these are actually stored as integers
1502 (load average * 1000) so the size of the numbers is constrained.
1503 It is also used for formatting sending rates, where the simplicity
1504 of the format prevents overflow. */
1511 if (precision < 0) precision = 6;
1512 if ((need = g->ptr + precision + 8) > lim)
1514 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1515 gstring_grow(g, precision+8);
1517 gp = CS g->s + g->ptr;
1519 strncpy(newformat, item_start, fp - item_start);
1520 newformat[fp-item_start] = 0;
1521 if (length == L_LONGDOUBLE)
1522 g->ptr += sprintf(gp, newformat, va_arg(ap, long double));
1524 g->ptr += sprintf(gp, newformat, va_arg(ap, double));
1530 if ((need = g->ptr + 1) > lim)
1532 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1536 g->s[g->ptr++] = (uschar) '%';
1540 if ((need = g->ptr + 1) > lim)
1542 if (!(flags & SVFMT_EXTEND || need >= size_limit)) return NULL;
1546 g->s[g->ptr++] = (uschar) va_arg(ap, int);
1549 case 'D': /* Insert daily datestamp for log file names */
1550 s = CS tod_stamp(tod_log_datestamp_daily);
1551 string_datestamp_offset = g->ptr; /* Passed back via global */
1552 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1553 string_datestamp_type = tod_log_datestamp_daily;
1554 slen = string_datestamp_length;
1557 case 'M': /* Insert monthly datestamp for log file names */
1558 s = CS tod_stamp(tod_log_datestamp_monthly);
1559 string_datestamp_offset = g->ptr; /* Passed back via global */
1560 string_datestamp_length = Ustrlen(s); /* Passed back via global */
1561 string_datestamp_type = tod_log_datestamp_monthly;
1562 slen = string_datestamp_length;
1566 case 'S': /* Forces *lower* case */
1567 case 'T': /* Forces *upper* case */
1568 s = va_arg(ap, char *);
1573 if (!(flags & SVFMT_TAINT_NOCHK) && is_incompatible(g->s, s))
1574 if (flags & SVFMT_REBUFFER)
1576 /* debug_printf("%s %d: untainted workarea, tainted %%s :- rebuffer\n", __FUNCTION__, __LINE__); */
1577 gstring_rebuffer(g, s);
1578 gp = CS g->s + g->ptr;
1580 #ifndef MACRO_PREDEF
1582 die_tainted(US"string_vformat", func, line);
1585 INSERT_STRING: /* Come to from %D or %M above */
1588 BOOL truncated = FALSE;
1590 /* If the width is specified, check that there is a precision
1591 set; if not, set it to the width to prevent overruns of long
1596 if (precision < 0) precision = width;
1599 /* If a width is not specified and the precision is specified, set
1600 the width to the precision, or the string length if shorted. */
1602 else if (precision >= 0)
1603 width = precision < slen ? precision : slen;
1605 /* If neither are specified, set them both to the string length. */
1608 width = precision = slen;
1610 if ((need = g->ptr + width) >= size_limit || !(flags & SVFMT_EXTEND))
1612 if (g->ptr == lim) return NULL;
1616 width = precision = lim - g->ptr - 1;
1617 if (width < 0) width = 0;
1618 if (precision < 0) precision = 0;
1621 else if (need > lim)
1623 gstring_grow(g, width);
1625 gp = CS g->s + g->ptr;
1628 g->ptr += sprintf(gp, "%*.*s", width, precision, s);
1630 while (*gp) { *gp = tolower(*gp); gp++; }
1631 else if (fp[-1] == 'T')
1632 while (*gp) { *gp = toupper(*gp); gp++; }
1634 if (truncated) return NULL;
1638 /* Some things are never used in Exim; also catches junk. */
1641 strncpy(newformat, item_start, fp - item_start);
1642 newformat[fp-item_start] = 0;
1643 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "string_format: unsupported type "
1644 "in \"%s\" in \"%s\"", newformat, format);
1649 if (g->ptr > g->size)
1650 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1651 "string_format internal error: caller %s %d", func, line);
1657 #ifndef COMPILE_UTILITY
1658 /*************************************************
1659 * Generate an "open failed" message *
1660 *************************************************/
1662 /* This function creates a message after failure to open a file. It includes a
1663 string supplied as data, adds the strerror() text, and if the failure was
1664 "Permission denied", reads and includes the euid and egid.
1667 format a text format string - deliberately not uschar *
1668 func caller, for debug
1669 line caller, for debug
1670 ... arguments for the format string
1672 Returns: a message, in dynamic store
1676 string_open_failed_trc(const uschar * func, unsigned line,
1677 const char * format, ...)
1680 gstring * g = string_get(1024);
1682 g = string_catn(g, US"failed to open ", 15);
1684 /* Use the checked formatting routine to ensure that the buffer
1685 does not overflow. It should not, since this is called only for internally
1686 specified messages. If it does, the message just gets truncated, and there
1687 doesn't seem much we can do about that. */
1689 va_start(ap, format);
1690 (void) string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
1691 SVFMT_REBUFFER, format, ap);
1694 g = string_catn(g, US": ", 2);
1695 g = string_cat(g, US strerror(errno));
1697 if (errno == EACCES)
1699 int save_errno = errno;
1700 g = string_fmt_append(g, " (euid=%ld egid=%ld)",
1701 (long int)geteuid(), (long int)getegid());
1704 gstring_release_unused(g);
1705 return string_from_gstring(g);
1712 /* qsort(3), currently used to sort the environment variables
1713 for -bP environment output, needs a function to compare two pointers to string
1714 pointers. Here it is. */
1717 string_compare_by_pointer(const void *a, const void *b)
1719 return Ustrcmp(* CUSS a, * CUSS b);
1721 #endif /* COMPILE_UTILITY */
1726 /*************************************************
1727 **************************************************
1728 * Stand-alone test program *
1729 **************************************************
1730 *************************************************/
1737 printf("Testing is_ip_address\n");
1740 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1743 buffer[Ustrlen(buffer) - 1] = 0;
1744 printf("%d\n", string_is_ip_address(buffer, NULL));
1745 printf("%d %d %s\n", string_is_ip_address(buffer, &offset), offset, buffer);
1748 printf("Testing string_nextinlist\n");
1750 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1752 uschar *list = buffer;
1760 sep1 = sep2 = list[1];
1767 uschar *item1 = string_nextinlist(&lp1, &sep1, item, sizeof(item));
1768 uschar *item2 = string_nextinlist(&lp2, &sep2, NULL, 0);
1770 if (item1 == NULL && item2 == NULL) break;
1771 if (item == NULL || item2 == NULL || Ustrcmp(item1, item2) != 0)
1773 printf("***ERROR\nitem1=\"%s\"\nitem2=\"%s\"\n",
1774 (item1 == NULL)? "NULL" : CS item1,
1775 (item2 == NULL)? "NULL" : CS item2);
1778 else printf(" \"%s\"\n", CS item1);
1782 /* This is a horrible lash-up, but it serves its purpose. */
1784 printf("Testing string_format\n");
1786 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
1789 long long llargs[3];
1799 buffer[Ustrlen(buffer) - 1] = 0;
1801 s = Ustrchr(buffer, ',');
1802 if (s == NULL) s = buffer + Ustrlen(buffer);
1804 Ustrncpy(format, buffer, s - buffer);
1805 format[s-buffer] = 0;
1812 s = Ustrchr(ss, ',');
1813 if (s == NULL) s = ss + Ustrlen(ss);
1817 Ustrncpy(outbuf, ss, s-ss);
1818 if (Ustrchr(outbuf, '.') != NULL)
1821 dargs[n++] = Ustrtod(outbuf, NULL);
1823 else if (Ustrstr(outbuf, "ll") != NULL)
1826 llargs[n++] = strtoull(CS outbuf, NULL, 10);
1830 args[n++] = (void *)Uatoi(outbuf);
1834 else if (Ustrcmp(ss, "*") == 0)
1836 args[n++] = (void *)(&count);
1842 uschar *sss = malloc(s - ss + 1);
1843 Ustrncpy(sss, ss, s-ss);
1850 if (!dflag && !llflag)
1851 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1852 args[0], args[1], args[2])? "True" : "False");
1855 printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1856 dargs[0], dargs[1], dargs[2])? "True" : "False");
1858 else printf("%s\n", string_format(outbuf, sizeof(outbuf), CS format,
1859 llargs[0], llargs[1], llargs[2])? "True" : "False");
1861 printf("%s\n", CS outbuf);
1862 if (countset) printf("count=%d\n", count);
1869 /* End of string.c */